BIND Updates Patch High-Severity Vulnerabilities

Summary

Internet Systems Consortium (ISC) patched four vulnerabilities in BIND 9, including two high-severity bugs: CVE-2026-3104 (memory leak in DNSSEC proof handling) and CVE-2026-1519 (high CPU consumption during DNSSEC validation). Both can lead to denial-of-service conditions. Patches were released in BIND versions 9.18.47, 9.20.21, and 9.21.20, with no known active exploitation reported.

Full text

Internet Systems Consortium (ISC) on Wednesday rolled out a fresh round of BIND 9 updates to resolve four vulnerabilities, including two high-severity bugs. Tracked as CVE-2026-3104, the first high-severity flaw is described as a memory leak issue impacting code preparing DNSSEC proofs of non-existence. The security defect can be exploited via crafted domains to cause a memory leak in BIND resolvers. Authoritative servers may not be impacted, ISC notes in its advisory. “If a BIND resolver is asked to query a specially crafted domain, memory will not be recovered by named. This can cause unbounded growth of Resident Set Size (RSS) memory, which may lead to an out-of-memory condition. Additionally, named will exit with an assertion failure if a shutdown or reload is attempted,” ISC explains. The second high-severity vulnerability patched in the DNS software suite is CVE-2026-1519, which can lead to high CPU consumption when the resolver encounters a maliciously crafted zone during DNSSEC validation. This could lead to a sharp decrease in the number of handled queries. While not recommended, disabling DNSSEC prevents the exploitation of this vulnerability, ISC notes.Advertisement. Scroll to continue reading. Exploitation of both CVE-2026-3104 and CVE-2026-1519 can lead to denial of service (DoS), according to an advisory from Ubuntu, which provides BIND packages to its users. The first medium-severity flaw addressed in the latest BIND releases is CVE-2026-3119, which could lead to unexpected named termination during the processing of a query containing a TKEY record. The second is CVE-2026-3591, a use-after-return flaw in SIG(0) handling code that could lead to ACL bypass. The issue can be exploited via specially crafted DNS requests. Patches for these security defects were included in BIND versions 9.18.47, 9.20.21, and 9.21.20, and in BIND Supported Preview Edition versions 9.18.47-S1 and 9.20.21-S1. ISC says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found on its software updates page. Related: Cisco Patches Multiple Vulnerabilities in IOS Software Related: iOS, macOS 26.4 Roll Out With Fresh Security Patches Related: Chrome 146 Update Patches High-Severity Vulnerabilities Related: QNAP Patches Four Vulnerabilities Exploited at Pwn2Own Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire iOS, macOS 26.4 Roll Out With Fresh Security PatchesFCC Bans New Routers Made Outside the US Over National Security RisksFrom Trivy to Broad OSS Compromise: TeamPCP Hits Docker Hub, VS Code, PyPIExtortion Group Claims It Hacked AstraZenecaChrome 146 Update Patches High-Severity Vulnerabilities3.1 Million Impacted by QualDerm Data BreachCritical Citrix NetScaler Vulnerability Poised for Exploitation, Security Firms WarnMazda Says Employee, Partner Information Stolen in Cyberattack Latest News Hightower Holding Data Breach Impacts 130,000Chinese Hackers Caught Deep Within Telecom Backbone InfrastructureCisco Patches Multiple Vulnerabilities in IOS SoftwareAlleged RedLine Malware Administrator Extradited to USDell and HP Roll Out Quantum-Resistant Device Security and AI-Era Cyber ResilienceOnit Security Raises $11 Million for Exposure Management PlatformRussian Cybercriminal Gets 2-Year Prison Sentence in US AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest Link Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveToken has appointed Katy Nelson as Chief Revenue Officer.Hemant Baidwan has joined Knox Systems as Chief Information Security Officer.The US Senate confirmed Markwayne Mullin as DHS Secretary.More People On The MoveExpert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-3104
• cve — CVE-2026-1519
• cve — CVE-2026-3119
• cve — CVE-2026-3591